fetchFromGitHub function allows for fetching from private repos, which requires specifying a username/password. It gets these from environment variables.
Personally, I’m a bit leery of stuffing my GitHub credentials into environment variables accessible to any tool I run. I know that sticking them in something like
~/.netrc makes them visible to tools I run, so I need to trust anything I run anyway, but I feel like reading
~/.netrc is a conscious decision (and one that I could theoretically detect) whereas environment variables are things that might end up in various logs (e.g. build logs) and whatnot.
Is there any way of having
fetchFromGitHub read the username/password from something other than environment variables (using
~/.netrc would be ideal, since this is a single-user install), or do I just need to give up and wrap
nix in a script that sets the variables (so at least they’re not exposed to every other tool I run)?